Patching OS X is so simple, but yet there are people who still put it off. A new malware variant sets out to punish those who haven't been keeping up to date with updates.

The new variant is a Trojan horse called 'Flashback.G' and is makes use of two exploits found on older versions of the Java runtime. Users with macs running OS X 10.6 'Snow Leopard' are particularly at risk since this version came with Java preinstalled while 10.7 'Lion' did not.

According to security firm Intego, this malware uses three tricks to try to get itself installed onto a system:

This new variant of the Flashback Trojan horse uses three methods to infect Macs. The malware first tries to install itself using one of two Java vulnerabilities. If this is successful, users will be infected with no intervention. If these vulnerabilities are not available – if the Macs have Java up to date – then it attempts a third method of installation, trying to fool users through a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple. Most users won’t understand what this means, and click on Continue to allow the installation to continue.

Image credit: Intego

This Trojan looks for specific websites (such as Google, Yahoo!, CNN, bank websites, PayPal, and so on) and tries to grab the user names and passwords used to log onto the sites.

If you are running OS X 10.6 then it is vitally important that you check to see that you have the latest Java update installed by running Software Update from the Apple menu.

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.Adrian has authored/co-authored technic...
Full Bio

Disclosure

All opinions expressed on Hardware 2.0 are those of Adrian Kingsley-Hughes. Every effort is made to ensure that the information posted is accurate. If you have any comments, queries or corrections, please contact Adrian via the email link here. Any possible conflicts of interest will be posted below. [Updated: February 23, 2010] - Adrian Kingsley-Hughes has no business relationships, affiliations, investments, or other actual/potential conflicts of interest relating to the content posted so far on this blog.